Home / cybersecurity / Network security / Security / What is DNS Rebinding?

What is DNS Rebinding?

June 06, 2025 , ,

What is DNS Rebinding?

DNS rebinding is an attack that tricks a browser into treating an external domain as if it belongs to the internal network.

The same-origin policy uses the hostname, port, and URI scheme to identify distinct origins. Hostnames are one of these elements that browsers use to identify various internet servers. Nevertheless, network devices are not directly linked to hostnames. Rather, DNS resolves them to IP addresses. IP addresses then either statically or dynamically bind to devices. Domain owners can resolve their hostnames to any IP address since they have total control over their DNS records. This privilege is abused by the DNS rebinding attack. 

Attackers can rebind their hostnames to internal IP addresses referring to the target servers once the victims' browsers have loaded the malicious payloads from the hacker's server. This enables malicious hostnames to be used by attackers' programs to access private resources without breaking the same-origin policy.

What is DNS Rebinding?

As an example in diagram above When Adam opens xyz server in his browser, it sends a DNS request to attacker resolver and retrieves the address of the malicious server, 20.1.12.3. Once loaded in Adam's browser, the malicious script in Adam's website attempts to trigger another DNS resolution for its own domain. 

However, this time the resolver will return 192.168.12.3 instead. So attacker is rebound to the target IP address. After that, the malicious script can keep sending requests to xyz server, which eventually reach the private server. Since Adam's browser won't recognize these requests as cross-origin, the malicious website can read the returned secrets and exfiltrate stolen data as long as it's open on the victim's browser.

Check on : What is DNS ( Domain Name Server) ? | How DNS works

How to protect from DNS Rebinding ? 

There are various methods by which you can protect yourself from DNS rebinding 

  • Browser-based Mitigation
  • DNS-based Mitigation
  • Server-based Mitigation

Browser-based Mitigation

The DNS pinning technique is used by contemporary browsers like Chrome and Firefox to protect against DNS rebinding attacks. Regardless of the DNS records' time-to-live (TTL) value, this tactic compels the browser to cache the DNS resolution results for a predetermined amount of time. As a result, rogue websites cannot use this time to repeatedly request DNS in order to rebind their hostnames.

The fact that this security may be installed in browsers without requiring changes to other network infrastructure makes it convenient. It is limited to blocking the time-varying attack, which is a conventional DNS rebinding attack implementation. The attackers in this technique give the DNS record of malicious hostnames a very short TTL. The rebinding script is launched in the victim's browser, then waits for the record to expire before sending a request to its hostname. The browser is then expected to resolve the request once more and return the target IP address. The DNS pinning mechanism in this case utilizes the same result for the second request despite the low TTL.

Nevertheless, there are other methods to get around DNS pinning security. Making the malicious script submit queries repeatedly until the browser cache runs out is an easy method. The target IP address will then be re-bound to the malicious hostname. The target service can then provide the anticipated answer to the attacker's website.

Even with DNS pinning protection, a more complex technique known as multiple A-records attacks can accomplish DNS rebinding more effectively and steadily. The attacking procedures are shown in Figure 6. The DNS behavior in this instance differs from the conventional attack: The malicious hostname is only resolved once by the victim's browser. However, the IP addresses of the target and the attacker are both returned. The browser will attempt the public IP address first when the malicious software sends the second request. However, the victim's IP address is remembered by the attacker's web server, which also uses a firewall to restrict incoming traffic. The victim's browser is forced to communicate with the private IP address and finish the DNS rebinding process as a result of this request failure.

DNS-based Mitigation

Another type of mitigation focuses on the DNS resolution stage. The secure DNS service, OpenDNS, drops the DNS responses pointing to RFC 1918 and loopback IP addresses. DNS caching software such as Dnsmasq and Unbound also implement similar filtering policies for private IP addresses.

Although this tactic is a centralized security solution as well, it still has drawbacks. First off, not every secure DNS service has blacklisted every IP address that points to a private service. For instance, a DNS rebinding attack may target the non-routable IP address 0.0.0.0, which may reflect the local machine's IP addresses. However, it has been overlooked by several screening policies. 

Attackers can use CNAME records to rebind their hostnames to internal hostnames in addition to the private IP addresses. The resolution to private IP addresses for the attackers will be completed by the victims' computers or internal resolvers. A rogue hostname, for instance, can be redirected to localhost. All subsequent traffic will then arrive at the local service. In conclusion, not all forms of DNS rebinding attacks are prevented by IP-based blocking.

Server-based Mitigation

DNS rebinding can be successfully blocked by web application defenses. Using HTTPS communication for all private services is one way to solve the problem. The right domain is necessary for the HTTPS handshake stage in order to validate the SSL certificate. Browsers believe they are talking with malicious domains during a DNS rebinding attack, even though the internal servers' SSL certificates are for different domains.

As a result, the attacking scripts are unable to connect to the target services over SSL. As an alternative, it works well to implement strong credentials for authentication on all private services. Even if attackers are successful in launching DNS rebinding, they will be unable to access sensitive data thanks to this application-level protection.

Conclusion

By using the browsers of the victims as traffic tunnels, the DNS rebinding attack might take advantage of private services. By using this method, attackers can send counterfeit requests to victims' servers and steal sensitive data. To combat it, online apps, browsers, and resolvers have implemented a variety of security measures. But certain sophisticated exploits are able to get past conventional protections. Furthermore, the complexity of the internal network environment makes it more difficult to impose total protection.